Modify DirSync to not sync all users to Office 365 (part 1)

Introduction

Office 365, which was released to the public not so long ago, offers tighter integration with your on-prem environment compared to BPOS.
A lot of the features that make up this tighter integration rely on an underlying process called DirSync (Directory Syncronization).
What it actually does is synchronize certain attributes from your on-prem Active Directory with the cloud-directory, hence the name.

The main reasons to implement Dirsync are:

to have a unified GAL between your on-prem and cloud-based organization*

to enable identity federation so you can configure single sign on (SSO).**

use the advanced features from a rich-coexistence scenario

* Office 365 does not support GAL Segmentation. Customers who have implemented some sort of GAL segmentation on-prem will not have the same experience in the cloud.
** Identity federation is the process where your on-prem Active Directory acts as an identity provider for your Office 365 environment. (Your users will use their on-prem username and password to access Office 365).

Although DirSync has been around since BPOS (previous version of Office 365), Microsoft made some changes to DirSync (now v2) specific for Office 365. The new version now e.g. writes back a small subset of attributes to your Active Directory and includes security groups in the process.

Note: This article doesn’t focus on how to install or configure DirSync, but rather assumes this has already been done.

DirSync & MIIS

The power behind the DirSync process actually comes from MIIS (Microsoft Identity Integration Server). The fact that the user who is configuring DirSync has to be a member of the local MIISAdmins security group might’ve already given that away.

You will see that the MIIS Client is available and it can be found in “C:\Program Files\Microsoft Online Directory Sync\Syncbus\UIShell” (default installation path).

If you open miisclient.exe you will notice that some management agents have been defined upfront. To keep things easy, Microsoft decided to provide DirSync with an appliance-like experience to overcome the difficulties of configuring MIIS.

The problem

Unfortunately, the default Management Agents are configured to sync (almost) all your on-prem AD object. Although this might be okay for most customers, some may find it disturbing that e.g. service accounts are equally synced into the cloud. This is so because in most cases, service accounts are just regular user objects with a single purpose (and MIIS doesn’t know about them being used solely for running a service) . Although these synced users don’t consume licenses, if you have quite a few of them, it might just be inconvenient for them to show up between other – legitimate – online users:

The solution:

MIIS uses “Connector Filters” to filter out any “unwanted” objects. If you open up the properties from the “SourceAD” management agent, browse to “Configure Connector Filter” and select “user”, you will see the default ruleset that Microsoft uses to determine which user objects get synced into the cloud and which don’t. The same principle applies to the other objects types as well.

Because we have full control over the management agents, we can easily make some adjustments to those filters. One way of achieving our goal is to add a filter.

For example, we want to rule out all user objects that start with the prefix “svc_”. What we need to do is relatively simple. The reason that I chose to create a filter based on the starting value of the sAMAccountName attribute, is because this is the easiest common denomintor for all service-accounts in this example. If your service-account names are all chosen randomly, it will become much harder to configure a single rule to include them all.

Click “New”, and configure a new filter based on the sAMAccountName that starts with a value equal to ‘svc_’.

Once you confirm, you’re done. The next occurance of the DirSync process, user objects that start with “svc_” will be ignored. This only applies to objects that have not been synced before. If you’ve already got service accounts synced into the cloud, they will not get deleted. Just keep in mind that synced user accounts in Office 365 cannot be deleted from the admin portal; they are solely managed through AD (and synced by DirSync).

Note: Microsoft does NOT support making any changes to the default management agents! Make sure that if you make changes, you know what changes you’ve made so that you can roll them back if ever needed.